auth: adapt libssh to gssapi-with-mic server

Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2013-02-20 23:20:44 +01:00 · 2013-02-20 23:20:44 +01:00 · 3b52e38a33
--- a/include/libssh/libssh.h
+++ b/include/libssh/libssh.h
@ -164,6 +164,7 @@ enum ssh_auth_e {
 #define SSH_AUTH_METHOD_PUBLICKEY 0x0004
 #define SSH_AUTH_METHOD_HOSTBASED 0x0008
 #define SSH_AUTH_METHOD_INTERACTIVE 0x0010
+#define SSH_AUTH_METHOD_GSSAPI_MIC 0x0020

 /* messages */
 enum ssh_requests_e {
--- a/include/libssh/priv.h
+++ b/include/libssh/priv.h
@ -179,8 +179,9 @@ void _ssh_set_error_oom(void *error, const char *function);
 void _ssh_set_error_invalid(void *error, const char *function);


-
-
+/* server.c */
+int ssh_auth_reply_default(ssh_session session,int partial);
+int ssh_auth_reply_success(ssh_session session, int partial);

 /* client.c */

--- a/include/libssh/server.h
+++ b/include/libssh/server.h
@ -254,6 +254,8 @@ LIBSSH_API int ssh_handle_key_exchange(ssh_session session);
 */
 LIBSSH_API void ssh_bind_free(ssh_bind ssh_bind_o);

+LIBSSH_API void ssh_set_auth_methods(ssh_session session, int auth_methods);
+
 /**********************************************************
 * SERVER MESSAGING
 **********************************************************/
--- a/include/libssh/session.h
+++ b/include/libssh/session.h
@ -143,6 +143,7 @@ struct ssh_session_struct {

 /* keyb interactive data */
    struct ssh_kbdint_struct *kbdint;
+    struct ssh_gssapi_struct *gssapi;
    int version; /* 1 or 2 */
    /* server host keys */
    struct {
--- a/src/messages.c
+++ b/src/messages.c
@ -44,6 +44,7 @@
 #include "libssh/messages.h"
 #ifdef WITH_SERVER
 #include "libssh/server.h"
+#include "libssh/gssapi.h"
 #endif

 /**
@ -740,6 +741,54 @@ SSH_PACKET_CALLBACK(ssh_packet_userauth_request){
    }
    goto end;
  }
+  if (strncmp(method, "gssapi-with-mic", method_size) == 0) {
+     uint32_t n_oid;
+     ssh_string *oids;
+     ssh_string oid;
+     char *hexa;
+     int i;
+     buffer_get_u32(packet, &n_oid);
+     n_oid=ntohl(n_oid);
+     if(n_oid > 100){
+    	 ssh_set_error(session, SSH_FATAL, "USERAUTH_REQUEST: gssapi-with-mic OID count too big (%d)",n_oid);
+    	 goto error;
+     }
+     ssh_log(session, SSH_LOG_PACKET, "gssapi: %d OIDs", n_oid);
+     oids = calloc(n_oid, sizeof(ssh_string));
+     if (oids == NULL){
+    	 ssh_set_error_oom(session);
+    	 goto error;
+     }
+     for (i=0;i<(int) n_oid;++i){
+    	 oid=buffer_get_ssh_string(packet);
+    	 if(oid == NULL){
+    		 for(i=i-1;i>=0;--i){
+    			 SAFE_FREE(oids[i]);
+    		 }
+    		 SAFE_FREE(oids);
+    		 ssh_set_error(session, SSH_LOG_PACKET, "USERAUTH_REQUEST: gssapi-with-mic missing OID");
+    		 goto error;
+    	 }
+    	 oids[i] = oid;
+    	 if(session->common.log_verbosity >= SSH_LOG_PACKET){
+    		 hexa = ssh_get_hexa(ssh_string_data(oid), ssh_string_len(oid));
+    		 ssh_log(session, SSH_LOG_PACKET,"gssapi: OID %d: %s",i, hexa);
+    		 SAFE_FREE(hexa);
+    	 }
+     }
+     ssh_gssapi_handle_userauth(session, msg->auth_request.username, n_oid, oids);
+
+     for(i=0;i<(int)n_oid;++i){
+    	 SAFE_FREE(oids[i]);
+     }
+     SAFE_FREE(oids);
+     /* bypass the message queue thing */
+     SAFE_FREE(service);
+     SAFE_FREE(method);
+     ssh_message_free(msg);
+     leave_function();
+     return SSH_PACKET_USED;
+  }

  msg->auth_request.method = SSH_AUTH_METHOD_UNKNOWN;
  SAFE_FREE(method);
@ -783,6 +832,10 @@ SSH_PACKET_CALLBACK(ssh_packet_userauth_info_response){

  ssh_message msg = NULL;

+  /* GSSAPI_TOKEN has same packed number. XXX fix this */
+  if (session->gssapi != NULL)
+	  return ssh_packet_userauth_gssapi_token(session, type, packet, user);
+
  enter_function();

  (void)user;
--- a/src/packet.c
+++ b/src/packet.c
@ -46,6 +46,7 @@
 #include "libssh/pcap.h"
 #include "libssh/kex.h"
 #include "libssh/auth.h"
+#include "libssh/gssapi.h"

 #define MACSIZE SHA_DIGEST_LEN

@ -85,9 +86,15 @@ static ssh_packet_callback default_packet_handlers[]= {
                                           // SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ  60
                                           // SSH2_MSG_USERAUTH_INFO_REQUEST	  60
  ssh_packet_userauth_info_response,       // SSH2_MSG_USERAUTH_INFO_RESPONSE     61
+                                           // SSH2_MSG_USERAUTH_GSSAPI_TOKEN      61
+  NULL,                                    //                                     62
+  NULL,                             // SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE 63
+  NULL,                                    // SSH2_MSG_USERAUTH_GSSAPI_ERROR      64
+  NULL,                                    // SSH2_MSG_USERAUTH_GSSAPI_ERRTOK     65
+  ssh_packet_userauth_gssapi_mic,          // SSH2_MSG_USERAUTH_GSSAPI_MIC        66
+  NULL, NULL,
  NULL, NULL, NULL, NULL, NULL, NULL, NULL,
-  NULL, NULL, NULL, NULL, NULL, NULL, NULL,
-  NULL, NULL, NULL, NULL,                  //                                     62-79
+  NULL, NULL, NULL, NULL,                  //                                     67-79
 #ifdef WITH_SERVER
  ssh_packet_global_request,               // SSH2_MSG_GLOBAL_REQUEST             80
 #else /* WITH_SERVER */